Verify that the Expiration Date is set for all Keys in RBAC Key Vaults
Why this matters:
Keys without expiration dates remain valid indefinitely, increasing the risk of outdated or compromised cryptographic material being used. Enforcing key expiration ensures regular rotation and deactivation of keys, supporting a secure and auditable key lifecycle aligned with compliance and cryptographic hygiene best practices.
What this check does:
This check verifies that all enabled keys in RBAC-enabled Azure Key Vaults have an expiration date configured.
Check Logic:
For each Key Vault with EnableRbacAuthorization = true:
All keys where attributes.enabled = true must have attributes.expires ≠ null
Where this is configured:
Azure Key Vault → Keys → Key Properties → Expiration Date field
How this check is executed:
Azure Portal:
- Navigate to Key vaults
- Select each vault, then go to Keys
- For each enabled key, confirm an Expiration Date is set
Azure CLI:
az keyvault list
az keyvault key list --vault-name <VaultName> \
--query "[*].{kid:kid, enabled:attributes.enabled, expires:attributes.expires}"
Verify that enabled = true always corresponds with a non-null expires value.
PowerShell:
Get-AzKeyVault
Get-AzKeyVault -VaultName <VaultName>
# Check if EnableRbacAuthorization = True
Get-AzKeyVaultKey -VaultName <VaultName>
# Inspect each key for: Enabled = True and Expires ≠ null
How to fix it:
Azure Portal:
- Go to Key vaults > select a vault
- Click Keys
- For each enabled key, click into the key version
- Under Attributes, set an Expiration Date
- Save the changes
Azure CLI:
az keyvault key set-attributes \
--name <keyName> \
--vault-name <vaultName> \
--expires <YYYY-MM-DDTHH:MM:SSZ>
Note: The "List" Key permission is required to view expiration dates. To update expiration dates, assign the Key Vault Crypto Officer role via IAM.
PowerShell:
Set-AzKeyVaultKeyAttribute `
-VaultName <VaultName> `
-Name <KeyName> `
-Expires (Get-Date).AddYears(1)
Exceptions:
None specified.
Further resources: